feat: remote audit storage backend

math280h · math280h · commit 6c9b3ecaa0a9 · 2026-06-20T17:00:37.000-04:00
Abstract the audit log behind an async AuditSink trait with selectable
backends. Keep the local file backend (default, renamed to FileAuditSink)
and add an HttpAuditSink that POSTs each JSON record to a configured
endpoint with optional bearer auth.

Add an [audit] config section (backend, endpoint, token_env) with overlay
merging and validation, build the sink in the service, and make the
decision logging path async.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,6 +44,7 @@ anyhow.workspace = true
 async-trait.workspace = true
 chrono.workspace = true
 clap.workspace = true
+reqwest.workspace = true
 rmcp.workspace = true
 rusqlite.workspace = true
 schemars.workspace = true
diff --git a/README.md b/README.md
@@ -277,7 +277,7 @@ Prioritized planned work:
 - [ ] Dependency confusion defenses for internal/private package names
 - [ ] Policy simulation mode (`what-if`) without enforcement
 - [ ] Metrics/log schema for latency, cache hit ratio, and registry error rates
-- [ ] Support remote audit storage backends
+- [x] Support remote audit storage backends
 - [ ] Support remote config sources (GitHub repo, HTTP endpoint, etc.)
 - [ ] Support for private registries
 
diff --git a/docs/configuration-spec.md b/docs/configuration-spec.md
@@ -50,6 +50,9 @@ Project values overlay global values.
 | `cache.ttl_minutes` | integer | `30` | Cache TTL in minutes. `0` resets to default. |
 | `lockfile.eval_concurrency` | integer | `5` | Number of packages evaluated in parallel during lockfile audits. Lower values reduce API burst load. `0` resets to default. |
 | `lockfile.inter_batch_delay_ms` | integer | `100` | Milliseconds to wait before spawning each replacement evaluation task after one completes. The initial batch is spawned immediately. Helps avoid rate limiting by spacing requests over time. Set to `0` for no delay. |
+| `audit.backend` | enum | `file` | `file \| http`. `file` appends records to the local audit log; `http` POSTs each record as JSON to `audit.endpoint`. |
+| `audit.endpoint` | string | unset | HTTP endpoint that receives audit records. Required when `audit.backend = http`. |
+| `audit.token_env` | string | unset | Name of the environment variable holding a bearer token sent as `Authorization: Bearer <token>` on HTTP audit requests. |
 | `custom_rules` | array(table) | `[]` | User-defined rule set evaluated alongside built-in checks. Invalid rules fail config load. |
 
 ## Merge rules
@@ -111,6 +114,11 @@ ttl_minutes = 30
 eval_concurrency = 5        # Number of packages evaluated in parallel
 inter_batch_delay_ms = 100  # Delay between spawning evaluation tasks (helps with rate limiting)
 
+[audit]
+backend = "http"                         # "file" (default) or "http"
+endpoint = "https://audit.example.com/v1/records"
+token_env = "SAFE_PKGS_AUDIT_TOKEN"      # env var holding the bearer token
+
 [[custom_rules]]
 id = "deny-very-new-low-downloads"
 severity = "high"
diff --git a/src/audit_log.rs b/src/audit_log.rs
@@ -4,20 +4,41 @@ use std::env;
 use std::fs::{self, File, OpenOptions};
 use std::io::Write;
 use std::path::PathBuf;
+use std::sync::Arc;
 use std::sync::Mutex;
 
+use async_trait::async_trait;
 use chrono::Utc;
 use serde::Serialize;
 
+use crate::config::{AuditBackend, AuditConfig};
 use crate::types::{Evidence, Metadata, Severity};
 
-/// File-backed logger that writes one JSON record per line.
-pub struct AuditLogger {
+/// Audit destination for decision records.
+#[async_trait]
+pub trait AuditSink: Send + Sync {
+    /// Persists a single audit record.
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the record cannot be persisted.
+    async fn log(&self, record: &AuditRecord) -> anyhow::Result<()>;
+}
+
+/// File-backed sink that writes one JSON record per line.
+pub struct FileAuditSink {
     file: Mutex<File>,
 }
 
-/// Serialized audit event written to the local audit log.
-#[derive(Debug, Serialize)]
+/// HTTP-backed sink that POSTs each record as JSON to a configured endpoint.
+pub struct HttpAuditSink {
+    client: reqwest::Client,
+    endpoint: String,
+    token: Option<String>,
+}
+
+/// Serialized audit event written to the audit log.
+#[derive(Debug, Clone, Serialize)]
 pub struct AuditRecord {
     timestamp: String,
     policy_snapshot_version: u8,
@@ -57,7 +78,7 @@ pub struct PackageDecision<'a> {
     pub cached: bool,
 }
 
-impl AuditLogger {
+impl FileAuditSink {
     /// Creates or opens the audit log file at the default path.
     ///
     /// # Errors
@@ -76,25 +97,77 @@ impl AuditLogger {
             file: Mutex::new(file),
         })
     }
+}
 
-    /// Appends a single JSON record followed by newline.
-    ///
-    /// # Errors
-    ///
-    /// Returns an error if serialization fails, writing fails, or the mutex is poisoned.
-    pub fn log(&self, record: AuditRecord) -> anyhow::Result<()> {
+#[async_trait]
+impl AuditSink for FileAuditSink {
+    async fn log(&self, record: &AuditRecord) -> anyhow::Result<()> {
         let mut file = self
             .file
             .lock()
             .map_err(|_| anyhow::anyhow!("audit log mutex poisoned"))?;
-        let json = serde_json::to_string(&record)?;
+        let json = serde_json::to_string(record)?;
         file.write_all(json.as_bytes())?;
         file.write_all(b"\n")?;
         file.flush()?;
         Ok(())
     }
 }
 
+impl HttpAuditSink {
+    /// Creates an HTTP sink that POSTs records to `endpoint` with optional bearer auth.
+    pub fn new(endpoint: String, token: Option<String>) -> Self {
+        Self {
+            client: reqwest::Client::new(),
+            endpoint,
+            token,
+        }
+    }
+}
+
+#[async_trait]
+impl AuditSink for HttpAuditSink {
+    async fn log(&self, record: &AuditRecord) -> anyhow::Result<()> {
+        let mut request = self.client.post(&self.endpoint).json(record);
+        if let Some(token) = &self.token {
+            request = request.bearer_auth(token);
+        }
+        let response = request.send().await?;
+        let status = response.status();
+        if !status.is_success() {
+            return Err(anyhow::anyhow!(
+                "audit endpoint returned non-success status: {status}"
+            ));
+        }
+        Ok(())
+    }
+}
+
+/// Builds the configured audit sink (file or HTTP).
+///
+/// # Errors
+///
+/// Returns an error if the file sink cannot be opened or the HTTP backend is misconfigured.
+pub fn build_audit_sink(config: &AuditConfig) -> anyhow::Result<Arc<dyn AuditSink>> {
+    match config.backend {
+        AuditBackend::File => Ok(Arc::new(FileAuditSink::new()?)),
+        AuditBackend::Http => {
+            let endpoint = config
+                .endpoint
+                .clone()
+                .filter(|value| !value.is_empty())
+                .ok_or_else(|| {
+                    anyhow::anyhow!("audit.endpoint is required for the http backend")
+                })?;
+            let token = config
+                .token_env
+                .as_deref()
+                .and_then(|name| env::var(name).ok());
+            Ok(Arc::new(HttpAuditSink::new(endpoint, token)))
+        }
+    }
+}
+
 impl AuditRecord {
     /// Builds an audit record for a package decision event.
     pub fn package_decision(input: PackageDecision<'_>) -> Self {
diff --git a/src/config/mod.rs b/src/config/mod.rs
@@ -68,10 +68,35 @@ pub struct SafePkgsConfig {
     pub cache: CacheConfig,
     /// Lockfile evaluation configuration.
     pub lockfile: LockfileConfig,
+    /// Audit log backend configuration.
+    pub audit: AuditConfig,
     /// User-defined custom policy rules evaluated against package metadata.
     pub custom_rules: Vec<CustomRuleConfig>,
 }
 
+/// Audit log backend configuration.
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
+#[serde(default)]
+pub struct AuditConfig {
+    /// Storage backend for audit records.
+    pub backend: AuditBackend,
+    /// Endpoint URL for the HTTP backend. Required when `backend = http`.
+    pub endpoint: Option<String>,
+    /// Name of the environment variable holding the bearer token.
+    pub token_env: Option<String>,
+}
+
+/// Selectable audit storage backend.
+#[derive(Debug, Clone, Copy, Default, Deserialize, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "lowercase")]
+pub enum AuditBackend {
+    /// Append records to a local file (default).
+    #[default]
+    File,
+    /// POST each record as JSON to a configured HTTP endpoint.
+    Http,
+}
+
 /// Allowlist configuration.
 #[derive(Debug, Clone, Default, Deserialize, Serialize)]
 #[serde(default)]
@@ -216,6 +241,7 @@ impl Default for SafePkgsConfig {
             checks: ChecksConfig::default(),
             cache: CacheConfig::default(),
             lockfile: LockfileConfig::default(),
+            audit: AuditConfig::default(),
             custom_rules: Vec::new(),
         }
     }
@@ -249,6 +275,16 @@ impl SafePkgsConfig {
     }
 
     pub(crate) fn validate(&self) -> anyhow::Result<()> {
+        if self.audit.backend == AuditBackend::Http
+            && self
+                .audit
+                .endpoint
+                .as_deref()
+                .map(str::is_empty)
+                .unwrap_or(true)
+        {
+            anyhow::bail!("audit.endpoint is required when audit.backend is \"http\"");
+        }
         custom_rules::validate_rules(&self.custom_rules)
     }
 
@@ -329,6 +365,17 @@ impl SafePkgsConfig {
                 self.lockfile.inter_batch_delay_ms = inter_batch_delay_ms;
             }
         }
+        if let Some(value) = overlay.audit {
+            if let Some(backend) = value.backend {
+                self.audit.backend = backend;
+            }
+            if let Some(endpoint) = value.endpoint {
+                self.audit.endpoint = Some(endpoint);
+            }
+            if let Some(token_env) = value.token_env {
+                self.audit.token_env = Some(token_env);
+            }
+        }
         if !overlay.custom_rules.is_empty() {
             custom_rules::merge_rules(&mut self.custom_rules, overlay.custom_rules);
         }
diff --git a/src/config/overlay.rs b/src/config/overlay.rs
@@ -4,7 +4,7 @@ use serde::Deserialize;
 
 use crate::types::Severity;
 
-use super::{AllowlistConfig, CustomRuleConfig, DenylistConfig};
+use super::{AllowlistConfig, AuditBackend, CustomRuleConfig, DenylistConfig};
 
 #[derive(Debug, Default, Deserialize)]
 #[serde(default)]
@@ -18,6 +18,7 @@ pub(super) struct ConfigOverlay {
     pub checks: Option<ChecksOverlay>,
     pub cache: Option<CacheOverlay>,
     pub lockfile: Option<LockfileOverlay>,
+    pub audit: Option<AuditOverlay>,
     pub custom_rules: Vec<CustomRuleConfig>,
 }
 
@@ -55,3 +56,11 @@ pub(super) struct LockfileOverlay {
     pub eval_concurrency: Option<usize>,
     pub inter_batch_delay_ms: Option<u64>,
 }
+
+#[derive(Debug, Deserialize, Default)]
+#[serde(default)]
+pub(super) struct AuditOverlay {
+    pub backend: Option<AuditBackend>,
+    pub endpoint: Option<String>,
+    pub token_env: Option<String>,
+}
diff --git a/src/service.rs b/src/service.rs
diff --git a/src/tests/audit_log.rs b/src/tests/audit_log.rs
